Secure the way the verifySignature method is used

It either returns bool, int: 1, 0 or -1 and -1 will be evaluated to be
true in PHP. Making the use of this method unsafe when not strictly
testing for the desired outcome.

Author: MKodde

src/Http/ReceivedAuthnRequestQueryString.php

@@ -288,9 +288,10 @@ public function getSignedRequestPayload()
      */
     public function verify(XMLSecurityKey $key)
     {
-        if ($key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature())) {
-            return true;
+        $isVerified = $key->verifySignature($this->getSignedRequestPayload(), $this->getDecodedSignature());
+        if ($isVerified !== 1) {
+            return false;
         }
-        return false;
+        return true;
     }
 }

src/Signing/SignatureVerifier.php

@@ -21,7 +21,7 @@
 use Psr\Log\LoggerInterface;
 use RobRichards\XMLSecLibs\XMLSecurityKey;
 use SAML2\Certificate\Key;
-use SAML2\Certificate\KeyLoader as KeyLoader;
+use SAML2\Certificate\KeyLoader;
 use SAML2\Certificate\X509;
 use Surfnet\SamlBundle\Entity\ServiceProvider;
 use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
@@ -151,13 +151,13 @@ public function isSignedWith(AuthnRequest $request, X509 $publicKey)
         $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'public'));
         $key->loadKey($publicKey->getCertificate());
 
-        if ($key->verifySignature($request->getSignedRequestQuery(), $request->getSignature())) {
-            $this->logger->debug('Signature VERIFIED');
-            return true;
+        $isVerified = $key->verifySignature($request->getSignedRequestQuery(), $request->getSignature());
+        if ($isVerified !== 1) {
+            $this->logger->debug('Signature NOT VERIFIED');
+            return false;
         }
 
-        $this->logger->debug('Signature NOT VERIFIED');
-
-        return false;
+        $this->logger->debug('Signature VERIFIED');
+        return true;
     }
 }